KubeZero/charts/kubeadm/templates/ClusterConfiguration.yaml

91 lines
3.7 KiB
YAML

apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: kubezero-clusterconfiguration
kubernetesVersion: {{ .Chart.Version }}
clusterName: {{ .Values.clusterName }}
controlPlaneEndpoint: {{ .Values.api.endpoint }}
networking:
podSubnet: 10.244.0.0/16
etcd:
local:
extraArgs:
#name: {{ .Values.etcd.nodeName }}
### DNS discovery
#discovery-srv: {{ .Values.domain }}
#discovery-srv-name: {{ .Values.clusterName }}
#initial-cluster:
### Regular
#{{- if .Values.etcd.initialCluster }}
#initial-cluster: {{ .Values.etcd.initialCluster }}
#{{- end }}
#initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380"
#advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379"
initial-cluster-token: etcd-{{ .Values.clusterName }}
listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
logger: "zap"
# log-level: "warn"
{{- with .Values.etcd.extraArgs }}
{{- toYaml . | nindent 6 }}
{{- end }}
# These will only be used to create the etcd certs but removed for Init/Join kudeadm calls allowing us to sneak in aliases for etcd nodes
serverCertSANs:
- "{{ .Values.etcd.nodeName }}"
- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
- "{{ .Values.domain }}"
peerCertSANs:
- "{{ .Values.etcd.nodeName }}"
- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
- "{{ .Values.domain }}"
controllerManager:
extraArgs:
profiling: "false"
bind-address: {{ .Values.listenAddress }}
terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.highAvailable | quote }}
logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
scheduler:
extraArgs:
profiling: "false"
bind-address: {{ .Values.listenAddress }}
leader-elect: {{ .Values.highAvailable | quote }}
logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
apiServer:
certSANs:
- {{ regexSplit ":" .Values.api.endpoint -1 | first }}
extraArgs:
etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }}
profiling: "false"
audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
audit-log-maxage: "7"
audit-log-maxsize: "100"
audit-log-maxbackup: "3"
audit-log-compress: "true"
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
{{- if eq .Values.platform "aws" }}
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
{{- end }}
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.highAvailable }}
goaway-chance: ".001"
{{- end }}
logging-format: json
{{- with .Values.api.extraArgs }}
{{- toYaml . | nindent 4 }}
{{- end }}
extraVolumes:
- name: kubezero-apiserver
hostPath: /etc/kubernetes/apiserver
mountPath: /etc/kubernetes/apiserver
readOnly: true
pathType: DirectoryOrCreate
- name: audit-log
hostPath: /var/log/kubernetes
mountPath: /var/log/kubernetes
pathType: DirectoryOrCreate